security: Fix 10 vulnerabilities, remove 12 dead code instances

Critical fixes: - Remove hardcoded admin/admin123 credentials from UserManager - Enable JWT signature verification (was disabled for debugging) - Redact secrets from /dev/config endpoint (was exposing os.environ) - Remove hardcoded SSH admin/admin credentials from hardware service - Add channel validation to prevent command injection in router interface Rust fixes: - Replace partial_cmp().unwrap() with .unwrap_or(Equal) to prevent NaN panics in 6 locations across core, signal, nn, mat crates - Replace .expect()/.unwrap() with safe fallbacks in utils, csi_receiver - Replace SystemTime unwrap with unwrap_or_default Dead code removed: - Duplicate imports (CORSMiddleware, os, Path, ABC, subprocess) - Unused AdaptiveRateLimit/RateLimitStorage/RedisRateLimitStorage (~110 lines) - Unused _log_authentication_event method - Unused Confidence::new_unchecked in Rust - Fix bare except: clause to except Exception: https://claude.ai/code/session_01Ki7pvEZtJDvqJkmyn6B714
2026-02-28 07:04:22 +00:00
parent ea452ba5fc
commit 7afdad0723
23 changed files with 81 additions and 192 deletions
--- a/v1/src/app.py
+++ b/v1/src/app.py
@@ -3,7 +3,6 @@ FastAPI application factory and configuration
 """

 import logging
-import os
 from contextlib import asynccontextmanager
 from typing import Optional

@@ -17,7 +16,6 @@ from starlette.exceptions import HTTPException as StarletteHTTPException
 from src.config.settings import Settings
 from src.services.orchestrator import ServiceOrchestrator
 from src.middleware.auth import AuthenticationMiddleware
-from fastapi.middleware.cors import CORSMiddleware
 from src.middleware.rate_limit import RateLimitMiddleware
 from src.middleware.error_handler import ErrorHandlingMiddleware
 from src.api.routers import pose, stream, health
@@ -294,10 +292,21 @@ def setup_root_endpoints(app: FastAPI, settings: Settings):
    if settings.is_development and settings.enable_test_endpoints:
        @app.get(f"{settings.api_prefix}/dev/config")
        async def dev_config():
-            """Get current configuration (development only)."""
+            """Get current configuration (development only).
+
+            Returns a sanitized view of settings.  Secret keys,
+            passwords, and raw environment variables are never exposed.
+            """
+            # Build a sanitized copy -- redact any key that looks secret
+            _sensitive = {"secret", "password", "token", "key", "credential", "auth"}
+            raw = settings.dict()
+            sanitized = {
+                k: "***REDACTED***" if any(s in k.lower() for s in _sensitive) else v
+                for k, v in raw.items()
+            }
            return {
-                "settings": settings.dict(),
-                "environment_variables": dict(os.environ)
+                "settings": sanitized,
+                "environment": settings.environment,
            }
        
        @app.post(f"{settings.api_prefix}/dev/reset")